Providers have about six months to comply with the changes to privacy and security practices mandated by the HIPAA omnibus rule. The new rules could give some organizations headaches, and not just because they represent technical challenges.
HIPAA is not a healthcare privacy law. It protects certain kinds of health information when it's held by certain professionals in certain situations.
partner, Wiley Rein LLP
Speaking at the HealthTech Council meeting in Chicago, Kirk Nahra, partner at the law firm Wiley Rein LLP, said the new privacy and security regulations will force providers to make significant changes to some of their processes, but often without much actual benefit to the patient.
Nahra discussed, for example, how the new breach notification rules mirror those of other industries -- banking, for instance. However, when a person's financial records are lost or stolen, notifying customers is important because there are concrete steps they can take to protect themselves from further damage. They can close out accounts or monitor their credit reports more closely. The situation is not so clear in healthcare, Nahra said: There isn't much patients can do to protect themselves from further harm by learning of an inappropriate disclosure of their diagnoses or medications.
The new rules give patients the right to receive an accounting of every employee at their provider who touched their protected health information (PHI). Nahra called this one of the biggest wastes of time in the HIPAA regulations, because it will require hospitals to keep exhaustive records for a right that few patients are aware they have or will take advantage of. Even though the U.S. Department of Health and Human Services (HHS) made the rule with an eye toward patient empowerment, an appropriate goal, the specifics could put providers in a difficult position, he said. "Think about all the record-keeping that would be required of that," he added. "HHS is feeling its way on what it wants to do for patients. The rationale for this was patient empowerment. I don't think they've given up on getting patients more involved in their care."
Furthermore, Nahra said, he doesn't think the HIPAA regulations do as much to protect patients' information as most providers, patients or lawmakers believe. "HIPAA is not a healthcare privacy law," he said. "It protects certain kinds of health information when it's held by certain professionals in certain situations."
For example, when patients submit a medical record to their health insurance company after a car accident, the information is subject to HIPAA privacy regulations, but when those patients submit the exact same record to their car insurance company, the information is not subject to any privacy laws.
Linda Koontz, senior principal at Mitre Corp., said most of the updated HIPAA regulations reflect the desire of HHS to protect patients' health information regardless of where it goes throughout the healthcare system. A third-party data storage company should be held accountable for losing health data, just as providers are. But, she acknowledged, many of the new rules will be difficult to comply with, particularly for business associates, who now are liable for breaches just like covered entities under the new rules. Some might not even be aware of their new responsibilities.
Possibly the biggest change made by the HIPAA omnibus rule is the standard used to judge breaches. Koontz explained that regulators previously used a harm threshold test in the case of a data breach to determine whether penalties applied and patients had to be notified. But when the new rule goes into effect, it presumes harm in all breaches. Providers will have to prove that the disclosure of information is unlikely to lead to real harm to patients.
Nahra recommended that in order to prepare for this change, providers evaluate their next breach under both criteria. He believes that the outcome will be mostly the same under both tests, but it will be a helpful exercise. This might seem like a burdensome extra step now, but it could help hospitals get ready for the privacy and security changes coming their way.